Alerts on Ipsec VPN tunnels down

Forum|Forum|17 years ago
November 21, 2008
4 replies
17915 views

We have many fortigates around our sites and they are connected by ipsec vpn tunnels. We sometimes find the ipsec vpn does tunnel down for some reason. I want to able to configure alerts on all my fortigates which will email me when any vpn tunnels go down. Can someone advice on how I can configure these alerts to get alerted on this specific issue.

abelio

SuperUser

You could configure alerts by " IPsec tunnel errors" (look Log&Reports->LogConfig->AlertEmail) ItÂ´s not exactly ' ipsec down' but when it try to regenerate you' ll receive some alerts. However, you also receive more alerts (i.e. a DPD error for instance) even if your tunnel is up.

TopJimmy

New Member

do you have an Analyzer? I just set up an Analyzer " Alert" to email a when the tunnel goes down or comes up. You could also just use a syslog server to do the same thing. Looks something like this:

====Alert==== From: flg(FLG800xxxxxxxxx) Trigger Name: CoLo Tunnel Down Log type: event log Alert Severity: High Triggered Threshold: More than 1 event occured in the last 0.5 hour. Source Device: Primary_FGT800[Hostname:fw.saf.local SN:FGT800xxxxxxxxx IP:xxxx.xxx.xxx.xxx] Last Raw Message: itime=1227297354 date=2008-11-21 time=12:55:54 devname=FGT800xxxxxxxxx device_id=FGT800xxxxxxxxx log_id=0101023012 type=event subtype=ipsec pri=notice vd=root loc_ip=xxxx.xxx.xxx.xxx loc_port=500 rem_ip=xxxx.xxx.xxx.xxx rem_port=500 out_if=" external" vpn_tunnel=" CoLoPH2" action=tunnel_down user=" N/A" group=" N/A" msg=" IPsec tunnel to xxxx.xxx.xxx.xxx:500 is down"

A

Anonymous_UserAuthor

Contributor

I have a fortianalyzer, I think this is what I need. I have 9 fortigates and I want to be alerted when any of the vpn tunnels go down. All fortigates are being logged to the fortianalyzer. Are you able to give me instructions on how I can do this.

TopJimmy

New Member

Below is a screenshot of the " alert" I built in the FAZ. I' m running MR7 Patch 2 on it. I removed the IP addresses and names from the screenshot, but you get the idea. 1.) Create new alert 2.) Give it a name (my example is: CoLo Tunnel Down) 3.) Select the fortigate you want to use (my example is for all fortigates) 4.) Select " Event Log" and " Notification" as your trigger. I just dug through my event log until I found an entry that the tunnel was down and cut the info out of the event log 5.) Under " Log Filters" select " Generic Text" and paste in the log entry from #4 above. My example says " IPsec Tunnel to <ip adress and port here> is down" 6.) select your " Threshold" . 1 event in 1/2 hour is the minimum so it triggers on any event that meets your tigger/filter from above. 7) set up the destination for your alert. mine are all whited out, but it' s pretty easy. Then test away. I was able to test this during production hours and it works great. Post back and let us know how it went for you. I also set up the same alert with the generic text that says " IPsec Tunnel to <ip adress and port here> is up" to alert me when it comes back up.